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Disclaimer 


Any views expressed in this talk are my own and not those 
of my employer. 


This talk discusses work performed in my spare time 
analyzing malware I personally received. Analysis was 
published with the EFF and Citizen Lab, independently of 
Google. 
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Cute Cats Theories 

Ethan Zuckerman - The Cute Cat Theory of Digital Activism 

“Sufficiently usable read/write platforms 
will attract porn and activists” 

(and lolcats) 
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Cute Cats Theories 
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Cute Cats Theories 


Morgan Marquis-Boire - The CuteCats.exe Theory of Digital Activism 

“Once a platform attracts a critical mass 
of activists, it will be used to target 

them” 
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Anti-Dissident Campaign 


Anti-Dissident 
Operations Discovered 


Skype 

[Deliver Malware] 



Civil Unrest Begins 

January 26, 2011 


2012 


Fake Facebook 
Deliver Malware 



Fake Youtube 
[Deliver Malware] 
[Phishing] 


CNN Reporting 
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Burhan Ghalioun Facebook Hack 



https://www.eff.org/deeplinks/2012/04/new-wave-facebook-phishing-attacks-targets-syrian-activists 
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Burhan Ghalioun Facebook Hack 
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Malicious applications 


Phishing website 
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https://www.eff.org/deeplinks/2012/04/new-wave-facebook-phishing-attacks-targets-syrian-activists 
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Burhan Ghalioun Facebook Hack 


|+» e[g 


I www.ckku.com indudes/ln.htm 


facebook 


Sign Up 


Welcome To Facebook Browser 


☆ A. 



Email: 

Password: 


y Keep me logged in 

m or Sign up for Facebook 

Forgot your password? 
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Burhan Ghalioun Facebook Hack 
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Suicide Bombing and Phishing 
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Emotional Social Engineering 


;3JPB 

SSK Revolucion Siria 2011. Espana • 2,243 GiL—• like this i--- 1 

March 8 at 12:47pm • * ^ Like 

iVolvemos a compartir con vosotros este video por el gran interes que tiene su DIFUSI 6 N!!! 
...TU 0BLICACI6N ES DIFUNDIRLO!!!! 

Este video es uno de los mas peligrosos que nos llega desde Siria. Muestra las torturas a las 
que son sometidos los heridos por parte de los medicso del hospital. "Ataban los penes de 
los hombres para impedirles orinar" "Realizaban las operaciones sin anestesia para que los 
heridos sufriesen mas" "He visto como los medicos pegaban las cabezas de los pacientes en 
contra de la pared" "Les tapaban los ojos y les electrocutaban" 

See Translation 

Filtrado: Tortura de los heridos en el hospital militar de Homs - SIRIA 
(subtitulos espanol) 

www.youtube.com 

Este video es uno de los mas peligrosos que nos llega desde Siria. Muestra las 
torturas a las que son sometidos los heridos por parte de los medicso del hosp... 


Like Comment 

Ssham Freedom Freedom, Siria Libre, Ceio Cio and 3 others like this. 

Paqui Garcia no puedo verlo. pero lo comparto, animo 

See Translation 
March 8 at 1:32pm *3 2 

Mohammed Sarwa http://IOginl.cixx6.com//photo-php=/426519_333998546633128_3314 
0461022 5 85 5_1082043_15 8875083/login/facebook/ar/?i=247881 

wl «*W V JjLuj ■«- jjjt LL »Lmjj _L~Y .. JjVI JUj i»l ji jali.. 

jlji 1 L jJmA .. L.V* ,j« J* ■«- 1 

http://l0ginl.cixx6.eom//photo-phps/426519_333998546633128_3314 
0461022 5 85 5_1082043_15 8875083/login/facebook/ar/?i=247881 

See Translation 
March 8 at 3:49pm 1 


https://www.eff.org/deeplinks/2012/03/pro-syrian-government-hackers-target-syrian-activists-facebook- 

phishing-attack 
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Fake You Tube Phishing 
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♦ Show all downloads... X 


https://www.eff.org/deeplinks/2Q12/Q3/fake-youtube-site-targets-syrian-activists-malware 
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Fake Revolutionary Plans 
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https://www.eff.org/deeplinks/2012/04/campaign-targeting-syrian-activists-escalates-with-new-surveillance-malware 
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Zero-Hour Plan for Aleppo 


0_Aleppo plan.pdf 

File Edit View Help 


Comments 


I 



https://www.eff.org/deeplinks/2Q12/Q5/trojan-hidden-fake-revolutionary-documents-taraets-syrian- 

activists 
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Encription... can haz? 



https://www.eff.org/deeplinks/2012/05/fake-skype-encryption-tool-targeted-syrian-activists-promises-security-delivers 
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Encription... can haz? 
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Anti-Hacker.exe 



Anti Hacker V 2.1 


Anti Hacker 


You PC is Protect now thank Por using our Product 


ti Hackers 


Active I DeActive I Close I About 


jnnootoft T upe L4 


Anti Hackers 


Vttaon 2.1.0.16* 

CoctmoM • 2009-2011 ArtiMacte*. htAI wcerved 


https://www.eff.org/deeplinks/2012/08/syrian-malware-post 
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Tools & Actors 



DARKC^/IET RAT 

REMOTE ADMINISTRATION TOOL 



https://citizenlab.ora/2012/06/svrian-activists-taraeted-with-blackshades-spv-software/ 

https://www.eff.ora/deeplinks/2012/03/how-find-svrian-aovernment-malware-vour-computer-and-remove-it/ 

http://www.wired.com/wiredenterprise/2012/07/dark-comet-syrian-spy-tool/ 
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Group 1 - Alosh 

Domains: 

alosh66.no-ip.info 

alosh66.myftp.org 

alosh66.servecounterstrike.net 

alosh66.linkpc.net 

Distinguishing feature: 

Predictable C2 domain naming convention. 

Tools: 

Dark Comet RAT 
BlackShades RAT 
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Group 1 - Alosh 

Attacks: 

March - Fake You Tube Website 

* You Tube Credential Phishing 

* DarkComet RAT 

June / July / August - Skype Phishing 

* BlackShades RAT (4 different variants) 
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Group 2 - Meroo 

Domain: 

meroo.no-ip.org 


Distinguishing feature: 

Repeated use of 216.6.0.28 as C2. 


Tools: 

Dark Comet RAT 
Xtreme RAT 
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Group 2 - Meroo 

Duration: 

November 2011 - June 2012 


Distinct Campaigns 

Zero Hour plan for city of Aleppo 
Plans for a revolutionary high council 
Skype Encryption Application 
Anti-Hacker Tool 
and many more... 

17 Dark Comet samples connecting to 216.6.0.28 
1 Xtreme Sample connecting to 216.6.0.28 
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Libya 
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gadaffigooglemaps.exe 
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Pro-Regime Electronic Actors - Libya 

Duration: 

2011 

Campaigns 

Tactical Social Engineering against military operations 
rooms. 

Implant 

BlackShades RAT 

Command and Control 

lyone.no-ip.biz 
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Bahrain 
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Activists Targeted 
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From Bahrain with love... 
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From Bahrain with love... 
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From Bahrain with love... 



FINFISHER 
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More details 


https://citizenlab.org/2012/07/from-bahrain-with-love- 

finfishers-spy-kit-exposed/ 
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Response / Notification 

Notification 


- F 

■l F 


Blog Posts ELECTRONIC FRONTIER FOUNDATION 


Education 


Open to ideas... 
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Posts 


Bahrain (FinFisher): 

https://citizenlab.org/wp-content/uploads/2012/08/Q9-2Q12-frombahrainwithlove.pdf 

http://www.bloombera.com/news/2012-Q7-25/cvber-attacks-on-activists-traced-to-finfisher-spvware-of- 

gamma.html 

http://www.bloombera.com/news/2Q12-Q8-Q8/finfisher-spvware-reach-found-on-five-continents-report.html 

Syria: 

https://www.eff.org/deeplinks/2012/03/how-find-syrian-government-malware-your-computer-and-remove-it 

https://www.eff.org/deeplinks/2012/Q3/fake-voutube-site-targets-svrian-activists-malware 

https://www.eff.org/deeplinks/2012/03/pro-syrian-government-hackers-target-syrian-activists-facebook- 

phishing-attack 

https://www.eff.org/deeplinks/2012/04/campaign-targeting-syrian-activists-escalates-with-new-surveillance- 

malware 

https://www.eff.org/deeplinks/2012/04/new-wave-facebook-phishing-attacks-targets-syrian-activists 

https://www.eff.org/deeplinks/2012/Q5/fake-skvpe-encrvption-tool-targeted-svrian-activists-promises-securitv- 

delivers 

https://www.eff.org/deeplinks/2012/Q5/trojan-hidden-fake-revolutionarv-documents-targets-svrian-activists 

https://www.eff.org/deeplinks/2012/06/darkshades-rat-and-syrian-malware 

https://www.eff.org/deeplinks/2012/Q7/new-blackshades-malware 

https://www.eff.org/deeplinks/2Q12/08/syrian-malware-post 

https://citizenlab.org/2012/Q6/svrian-activists-targeted-with-blackshades-spv-software/ 

Iran: 

http://citizenlab.org/2012/05/iranian-anti-censorship-software-simurgh-circulated-with-malicious-backdoor-2/ 
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Thanks 

Eva Galperin & EFF 
John Scott-Railton 
Collin Anderson 
Citizen Lab 
Telecomix 

Privacy International 
Google Security Team 
and Kdotcdot. 
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Questions 
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